As Attrition.org states, Jericho is a security curmudgeon, pimp, helicopter pilot, lighter thief, HTML nazi, cat herder, guinea pig relationship specialist and obsessive compulsive TV game show participant.
Jericho has been poking about the hacker/security scene for over 19 years (for real), building valuable skills such as skepticism and anger management. As a hacker-turned-security whore, he has a great perspective to offer unsolicited opinion on just about any security topic. A long-time advocate of advancing the field, sometimes by any means necessary, he thinks the idea of ‘forward thinking’ is quaint; we’re supposed to be thinking that way all the time. No degree, no certifications, just the willingness to say things many in this dismal industry are thinking but unwilling to say themselves. He remains a champion of security industry integrity and small misunderstood creatures.
Jericho delivered a talk at Balk Hat USA and RVAsec about his hobby project Errata which is almost 14 years now.
The Attrition.org Errata project has documented the shortcomings, hypocrisy, and disgraces of the information technology and security industries. It exists to enlighten readers about errors, omissions, incidents, lies and charlatans in the security industry.
– Jericho, what types of your sources contribute the most information? What group of your sources is the most valuable?
– In the last year, it has been an even mix of comments via Twitter or email. While Twitter may be a bit more frequent, the emails typically have a little more information to go on.– Among Errata 7 categories – charlatans, companies, security companies, plagiarism, certified pre-owned, legal threats, statistics – what section consumes the most of your time? Do you see any growing activity in any category?
– Hands down, it is the Charlatans page. It requires the most research to ensure accuracy, verification of all sources, and ensuring it is as fair and balanced as possible. It also requires the most original authoring. If we had unlimited time or resources (e.g. personnel), it would be Charlatans.
– When does someone move from watch list to the Errata? What metrics do you use to determine the severity of a case and that it deserves a full article?
– It is a judgment call, so the decision is made as a group. Everyone gives feedback if they believe there is enough activity, and more specifically, enough *intent* by the person to do bad things. There are no formal metrics or guidelines, each case is too different.
– One charlatan was removed from Errata. Do you have anything else planned for removal?
– Actually, two have been removed. One from the watch list, one from the full list. Currently, there are no plans for additional removals. Those are done when the person(s) approach us to rationally discuss the page, show an interest in changing for the better, and work together to get them going in the right direction.
– You already had several sitdowns with your “heroes” which brought positive results. Do you plan more such discussions?
– I assume by “heroes” you mean charlatans. We generally don’t plan for such meetings, they happen when the person contacts us and wants to discuss further. In one case, it was someone who heard they were on the unpublished watch list. In other cases, it was someone already published, but as mentioned in my response to previous question, wanted to improve.– You are maintaining a black list but in your opinion, which companies or individuals are the best in security industry? Who do you look up to?
– The amount of companies who actually do really good are so few, it’s hard to even list them. Publicly, as Errata / attrition.org, we cannot really endorse anyone. It would ultimately lead to problems with the perception of bias. If the company turned around and started doing bad, then we’re in a position of documenting someone we said was good.
– And who is the most dangerous – AV or other software or services or maybe individual “experts”?
– Each has their own attributes that make them dangerous. The single “expert” that gets on the news and seen by millions can prove to be worse than a company with 500k customers.
– According to your stats, we see that auto fail stats by year are decreasing – what has changed? Do you think it will continue to decrease?
– Just the reported incidents we have documented have failed. We know there are a lot more incidents, but they tend to affect a much smaller group, or are fixed in very short order. When that happens, they tend not to make news. I’d like to think that the QA process at these companies has improved over the years, and that past incidents taught them the importance of testing, which led to lower incidents.
– Do you know of any progress with vulnerability disclosure standards?
– This is really a question for the OSF and the OSVDB project. While I am involved with that, I would rather it be kept separate from the Errata talk. To me, they are very different projects with different goals.
– Can you share any latest info on companies using your data from OSVDB or DatalossDB?
– The OSF has to answer that. I can say that yes, many companies are using data from both projects, but OSF has to give details.
– How often do researchers face legal threats and how dangerous are most legal threats?
– It doesn’t appear to happen that often based on the documented incidents. However, even one or two a year is depressing. In most cases, they are not dangerous per se, but they still pose a serious risk in the way of influencing future researchers. Every time there is a legal threat, researchers new to the field may see that and decide not to share their research, just to ensure they avoid such a hassle.
– Errata has a section dedicated to suspicious statistics, which various media outlets try to feed us. It’s a sad thing but is there any place for amusement like what’s the most absurd numbers have you come across?
– That section has not been updating in some time, for the same reason we had to stop updating ‘Media’ (articles). There are too many bad stats being passed off as legitimate. I occasionally blog in great deal about bad vulnerability statistics for OSVDB.
– What do you think of comments like – people write plagiarized book on purpose and try to get mentioned on your site, and then curiosity sells this book?– I can’t imagine that anyone is actually doing that. Even if they are, it is about the most absurd business strategy ever. It is already difficult to sell computer books. Most are not a vehicle for profit; rather, they are used for resume fodder and the name recognition. Given how difficult it was for us to obtain some of these books, I don’t think it is working if someone is actually attempting that.
– Can you share an interesting example of a blowback not covered at presentations?
– I am currently going through a new one. A charlatan on the watch list threatened to sue the company I work for (i.e. my day job), which has absolutely nothing to do with Attrition, Errata, or anything else I do in my spare time. It is a desperate attempt to pressure me into removing the material. Apparently he hasn’t read previous articles and comments I wrote. Desperate and unethical attempts to remove content like that only strengthen my resolve.
– Where do most legal actions against you come from?
– Almost all of the legal threats have come from Charlatans in the past years I believe. We had a few back when we took copies of defaced web pages as well.
– Can you share any serious consequences for you in terms of criminal procedures?
– Only one of the threats actually made it to a filed case, and it was settled out of court before the first real hearing. Ultimately, we removed 1 image that was icing on the cake and not needed to support the article (that had been published for months). It was a Pyrrhic victory for them.
– I understand you receive plenty of legal threats but they resulted only in couple of trials, am I right? Why is it so? Where and why do your opponents drop claims?
– Just the one as mentioned. Most never make it to court because they are groundless claims to begin with. Sure, anyone can file any lawsuit against anyone for anything. But finding a lawyer that will take such a case becomes difficult. Even then, such a lawsuit will only result in the ‘Streisand Effect’, and will not achieve the results they want. As soon as word breaks we are getting sued for specific content, people ensure that copies of it are posted all over the Internet just in case we have to take it down.– What were the recent attacks on your website?
– Honestly, no clue. We stopped watching our logs to that degree. The amount of automated scanners looking for vulnerabilities is absurd. It is almost a full time job just trying to figure out which attacks are automated or not. We do our best to maintain a secure server but know better than anyone it is ultimately going to fail. We’ve been compromised a few times in the past, and I am sure if we aren’t currently owned, we will be again.
– Your presentation slides say you: “Wouldn’t mind seeing InfoSec industry burn to the ground.” Do you think it is mostly a security theatre? If it burns to the ground now – what will come instead?
– Most of our industry is either theatre or a money-making machine. Very little of what is *sold* helps like claimed. The basic security technologies we have relied on for 20 years (e.g. Firewalls, IDS) continue to do just as good, if not more, than the new fancy solutions with buzz words and blinky lights.
– Projects like yours help build open society. Have you thought of or are you planning to help launch similar initiatives, maybe on local level?
– Personally, I support the local community in many ways. I have been a contributor to our local hacker space, continue to help a local hacker-run DIY shop, help organize our BSides Denver conference, and more.
– Are your audience and volunteers’ help growing now? Do conference talks help with this?
– No, and no. It has been difficult to find volunteers since day one. Very few stick with it, and very few put in the hours. That is why we don’t publish that much. If we had a single full time person for example, I imagine we’d have 3 – 4x the content you see. There are plenty of leads, just not enough time to research and write about them.
– What are your goals for Errata now? Are you planning to attract volunteers?
– We’ve tried several times in the past, and it ultimately didn’t work out. We had a few that helped with some of the initial research, but even the last group didn’t make it more than a couple months. It becomes as time-consuming trying to manage the volunteers as it does to do the work ourselves. It makes sense though. It is time consuming work, and offers no personal glory. It requires a lot of effort to document a charlatan, and ultimately the only thing you get is a sense of personal satisfaction. Compare that to other projects that have software releases, a big user-base that relies on your work, etc.
– What have you learned running Errata? Has Errata changed anything in you?
– I’ve learned a lot and have a blog in the works. I don’t know when it will be published, but likely this year. Where the Errata presentation was an overview of the project and status, this will be more a ‘Lessons Learned’ and personal commentary on it.